back to article Ransomware avalanche at Alpine hotel puts room keycards on ice

A top Austrian hotel coughed up thousands in ransom to cybercrooks, who hacked its computer system and locked guests out of their rooms until the money was paid. The Romantik Seehotel Jaegerwirt went public with its problems as a warning to other hotels. This is the second time the four-star destination has been hit. The …

  1. Old Handle

    Seems like a surprisingly low random for a clever targeted attack on 4-star ho tel.

    But perhaps that's why they went back for more.

    1. Paul Crawford Silver badge

      I guess they were trying to figure out how much they could extort before the hotel would simply bite the bullet and get the machines cleaned, etc. At €1,500 its probably worth a throw of that dice, at €15,000 probably not.

      But they should be commended for going public - hopefully others will learn the lesson (repeated often enough here) to keep your critical systems off the network that has web/email access.

    2. Ken Moorhouse Silver badge

      Re: 4-star ho tel

      Do you know something about this place we should know about?

  2. Robert Carnegie Silver badge

    Bad Register

    The headline is tasteless and I haven't read the story or looked at the adverts.

    I read it at The Inquirer instead.

  3. Ken Moorhouse Silver badge

    Why didn't they target the program that manages bed-linen schedules?

    That would be a clear case of Money Laundering.

  4. Anonymous Coward
    Anonymous Coward

    Take your pick

    > Christoph Brandstaetter, said: "We are planning at the next room refurbishment for old-fashioned door locks with real keys. Just like 111 years ago at the time of our great-grandfathers."

    So that should be secure for about a week until the local crims re-learn the art of old-style lock picking.

    1. Anonymous Coward
      Anonymous Coward

      @2+2

      "So that should be secure for about a week until the local crims re-learn the art of old-style lock picking."

      Depends. The times where you could easily create a copy using some clay are long behind us. And then there's the time spend in front of a door to actually get the copy: I'm pretty sure the hotel got camera's and such.

      Then there's another problem: every serious hotel will also provide safety boxes in a room, usually providing plenty of space to keep your valuables in. So even if they do breach a door then there's still no guarantee that they'll stumble across something useful.

      1. druck Silver badge
        Thumb Down

        Re: @2+2

        The days of clay copies are indeed long behind us, a simple photograph and a 3D printer is all you need these days.

        And those safes in the room, even if they weren't next to useless security wise (default master codes) and far too small for anything else but a couple of passports and some jewelery, they are usually at additional cost, and most people don't bother.

        1. BebopWeBop
          Thumb Down

          Re: @2+2

          Well, they are small, but possibly I stay at the right places l - I have never been charged for using one

        2. Anonymous Coward
          Anonymous Coward

          Never use an in-room hotel safe...

          ....most can be defeated by a long piece of stiff wire or a rubber mallet. I bought one before I knew better.

    2. Crazy Operations Guy

      Re: Take your pick

      "So that should be secure for about a week until the local crims re-learn the art of old-style lock picking."

      Or the lost art of stealing or buying a master key from one of the staff. Even if there is no master key, they could still just use a simple bump key to get in... And if that fails, there is also the possibility of just renting a room, copying the key, then using it to break into room a few days later.

      Physical keys are also highly susceptible to the birthday attack in that there is a very limit number of combinations that can be used and its quite likely that two or more rooms in even a modest sized hotel would share the same key pattern.

      Magnetic key cards were created specifically to prevent such basic attacks. That and not having to pay a locksmith to re-key a room if someone leaves with the key.

  5. rdhood

    Most hotel keycard systems are inherently unsafe

    They can be picked with a tablet and an electronic connection at the door. Google it. Don't leave anything of value in your room unprotected... ever.

    1. Anonymous Coward
      Anonymous Coward

      Re: Most hotel keycard systems are inherently unsafe

      Concur.

      I know only a couple with decent systems and they were put in place only because they also rent out rooms on long term leases to various "interesting" people who are supposedly diplomats(*). As a "mere coincidence" the hotels in question are also run by the mob (they are in Eastern Europe).

      Most are complete and utter crap - cards you can clone with a reader from Maplin, locks you can pawn in a minute or so, if you have suitable tools - you name it.

      (*) While they do carry diplomatic passports, their activities are anything but diplomatic

  6. 0laf

    Test run?

    Those locks and controllers are bound to be in thousands of hotels globally. Maybe they're just testing before automating the process to get some real cash rolling in.

    I wouldn't be surprised at all to see a backlash against IOT eventually. But it's still building up before it crashes and burns.

  7. Anonymous Coward
    Anonymous Coward

    Really?

    The big thing not mentioned... What the hell is the keycard computer doing on the internet in the first place?!!! Why isn't it on a standalone unit in the manager's office? To me, that makes the most sense.

    1. Frank Bitterlich

      Re: Really?

      It's not a "standalone unit"...

      ... because it has to be accessible from the reception (after all, it's them who are programming the key cards) and (for some system types) by every door lock.

      And who said it was accesible from the internet? It might just have been infected when somebody from the reception (or office staff, ...) opened a booby-trapped email attachment.

      BTW, after reading the referenced article, I'm not even sure that the crims explicitly targeted the keycard system. Disabling that might just have been a "lucky" side effect from encrypting all files, including the keycard database.

      And finally, replacing the electronic locks with old-fashioned key locks will cost a fortune and will only solve a tiny part of the problem. Good luck when your reservation system or credit card terminal are hit. That's pretty much of a business showstopper too.

      1. Robert Helpmann??
        Childcatcher

        Re: Really?

        And who said it was accesible from the internet? It might just have been infected when somebody from the reception (or office staff, ...) opened a booby-trapped email attachment.

        Directly or indirectly, it was accessible which is how it was pwned. In light of the countermeasures mentioned in the article, specifically decoupling networks, it seems pretty obvious this was the case when the attack too place and has since been remedied. Such a shame that this obvious step was taken only in response to an attack.

        Hotels are notoriously lax when it comes to electronic security, but this has typically just been to the detriment of their customers. I would like to think they would step it up a notch in response to these sorts of attacks, but the past would seem to indicate the opposite to be true.

  8. razorfishsl

    WTF would you have your doorlock system attached to the internet?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like